Is there any way to verify that distribution sets and packages that I have downloaded have not been tampered with (e.g., by someone with access to the mirror from which I downloaded them)?
The package system supports signatures, but the packages distributed on OpenBSD mirrors are unsigned, as is the SHA256 file in each directory.